[Infusion-users] Rich text inline editor and allowed tags

Antranig Basman Antranig.Basman at colorado.edu
Thu May 27 18:25:30 UTC 2010


Hi there Jen - I'm not sure exactly how you are "observing" that the 
script tags are going missing - perhaps you could describe the exact 
steps you are performing?
I am wondering though if what you might be observing is the default 
effect of JQuery on performing document manipulation. It makes various 
attempts to be "helpful" when you paste markup into the document, for 
example using the html() method, which all eventually end up (at least 
in 1.4.x) bottling into the domManip() method. As you may see, this does 
various elaborate things to the markup, including explicitly hooking out 
any <script> blocks and making attempts to evaluate them by various 
strategies. They do not appear explicitly in the DOM after this process.

We discovered in our engage work that this strategy is not always 
entirely reliable and in many cases it is better to go back to raw DOM 
methods for some cases (although depending on the exact markup, this can 
be hazardous - there are lots of cases where IE will barf or even crash 
hard on receiving some kinds of "incomplete" markup such as table rows).

This may be totally unrelated to what you are seeing, but perhaps not.
Cheers,
A.

Jennifer Bourey wrote:
> Hey Colin,
> 
> Thanks for the pointers!  That's a really useful document to know about, 
> especially since it seems like some of the configuration has changed 
> since earlier versions of FCKeditor.  
> 
> After quite a bit of debugging, I think I've determined that the script 
> tag already seems to be protected.  When I set up a simple CKEditor 
> instance and submitted it to a PHP page, the script tag did seem to show 
> up in the submitted form value.
> 
> I've also discovered that if I add the following event handler to the 
> fluid rich text editor component, the printed result includes the script 
> tag:
> 
>   afterFinishEdit: function(newVal, old, edit, view){
>        console.log($(".flc-inlineEdit-editContainer textarea").val());
>   }
> 
>  From my debugging, it looks like the component's model is updated as 
> well.  I have to admit that I'm not entirely sure what's going on here. 
>  I haven't quite been able to track down the code that updates any 
> required form fields, but perhaps that might be where the issue lies?
> 
> - Jen
> 
> 
> On May 26, 2010, at 8:03 AM, Colin Clark wrote:
> 
>> Hey,
>>
>> It is indeed the CKEditor that is stripping out your script tags. 
>> Their documentation isn't wicked, but I can sort of intuit that this 
>> configuration option might do the trick for you:
>>
>> http://docs.cksource.com/ckeditor%5Fapi/symbols/CKEDITOR.config.html#.protectedSource
>>
>> It seems to want a regular expression that matches all the stuff you 
>> don't want it to strip out. We expose CKEditor editor's configuration 
>> options via Inline Edit's "CKEditor" option, so you should be able to 
>> specify it there. If you need to get access to the CKEditor instance 
>> itself, you can use the 
>> fluid.inlineEdit.CKEditor.getEditor(editFieldElement) function.
>>
>> Hope this helps,
>>
>> Colin
>>
>> On 2010-05-26, at 12:43 AM, Eli Cochran wrote:
>>
>>> Jen,
>>> I haven't researched it but I'm betting that it's CKEditor that doing 
>>> the stripping. And I don't know if it's a setting that can be 
>>> changed. Allowing a user to add a script is usually considered a 
>>> security risk so I'm not surprised that they'd strip them out.
>>>
>>> - Eli
>>>
>>> On May 25, 2010, at 3:18 PM, Jennifer Bourey wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I've been playing with the rich text inline editor and was hoping 
>>>> someone might be able to help me figure out how to allow script 
>>>> tags.  It seems like right now if I enter javascript into the editor 
>>>> it's magically stripped out of the content.  I wasn't quite sure if 
>>>> CKEditor was doing that, or if Fluid was.  Either way, does anyone 
>>>> know how to prevent the editor from sanitizing HTML input?  We're 
>>>> already cleaning input on the backend, and I think it'll be easier 
>>>> to only require adopters to edit the content rules in one place.
>>>>
>>>> Thanks!
>>>>
>>>> - Jen
>>>> _______________________________________________
>>>> Infusion-users mailing list
>>>> Infusion-users at fluidproject.org
>>>> http://fluidproject.org/mailman/listinfo/infusion-users
>>>
>>> . . . . . . . . . . .  .  .   .    .      .         .              . 
>>>                     .
>>>
>>> Eli Cochran
>>> manager of user experience design
>>> ETS, UC Berkeley
>>>
>>> "A designer knows he has achieved perfection not when there is 
>>> nothing left to add, but when there is nothing left to take away."
>>>   - Antoine De Saint-Exupery
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Infusion-users mailing list
>>> Infusion-users at fluidproject.org
>>> http://fluidproject.org/mailman/listinfo/infusion-users
>>
>> ---
>> Colin Clark
>> Technical Lead, Fluid Project
>> http://fluidproject.org
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Infusion-users mailing list
> Infusion-users at fluidproject.org
> http://fluidproject.org/mailman/listinfo/infusion-users




More information about the Infusion-users mailing list